Pwning Malware with Ninjas and Unicorns

This report documents a DFIR-driven reverse engineering effort against a packed ELF64 Linux malware (likely a new SysUpdate variant). The analyst details static and dynamic analysis that identified custom key-generation and an XOR-based encryption/decryption routine, and demonstrates building Unicorn Engine (Rust) emulators and Binary Ninja/GDB-assisted memory carving to generate the malware's key material and decrypt intercepted C2 traffic.